Google will pay bug hunters to find flaws in anyone’s software, not just its own

Earlier this year, a flaw in the SSL protocol led to widespread panic among systems administrators. Google(S goog) employees — like Neel Mahta — were among the security researchers who helped discover and extinguish the Heartbleed fire, but they were acting in an unofficial capacity. On Tuesday, Google said it created a team, called Project Zero, dedicated to finding previously undiscovered vulnerabilities in third-party (i.e. non-Google) software.

What does Google get out of paying people to find flaws in, say, Microsoft software? At first glance, Project Zero is deeply self-interested: a zero-day exploit out of Google’s control — like a bug in Adobe Flash — can easily affect Google users, opening them up to attacks from corporate spies, government bodies, and run-of-the-mill criminals. Security is often only as good as its weakest link, and zero-day exploits represent a significant attack vector.

Google said it will take an ethical approach when it finds a bug in another company’s software: it will notify the company responsible — no third parties — and give it time to issue a fix. When the bug report is made public, usually with a security patch, Google will publicize the bug in an external database and publicize stats.

Google and other companies already pay “bug bounties” for friendly hackers who report zero-day vulnerabilities — George Hotz collected $150,000 for finding a Chrome flaw earlier this year. But for white hat hackers, such bounties are hard to rely on as primary income because finding security flaws is not a consistent, linear process. And although some zero-day exploits can fetch huge sums on the black market, that comes with moral issues.

Project Zero represents an interesting proposition for some of the world’s most talented hackers: a Google email address, the resources of a committed giant with the freedom to choose interesting projects, and most importantly, steady and presumably very competitive income. It will be interesting to see which security researchers decide to join the Google mothership — Project Zero is currently hiring.